Re: Setting Acct-Interim-Interval for all users
Nataniel Klug wrote: Is it possible to setup this parameter as a default for all clients using my Radius? See raddb/acct_users Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Restrict All Users from Certain APs
White III, Joe wrote: Based on the debug output down below, could I do the following in the users file?: DEFAULT User-Password == letmelook Airespace-Wlan-Id = 4 Fall-Through = No No. Put the Airespace attribute on the first line. See man users And use Cleartext-Password := .. instead of User-Password. The server WILL tell you to do this when you run it in debugging mode. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Decoding complex CableLabs-Event-Message
Hi, We would like to use FreeRadius to decode Cablelabs accounting messages, as specified in http://www.cablelabs.com/packetcable/downloads/specs/PKT-SP-EM-I12-05812.pdf . FreeRadius has a CableLabs dictionary, which works fine, but... The value of one of the AVP, CableLabs-Event-Message, is actually an HEX value containing additional fields. For example: CableLabs-Event-Message = 0x0001d2d2026d30313030313030303000 0e8123330001000330313030313030303006323031323031333130363032 32312e36333981000500 The FreeRadius does not decode that value to get all details. For example, bytes 4 to 28 (d2d2026d30313030313030303e812333) is actually the BCID (Billing Correlation ID) field. The BCID itself contains 4 sub fields: NTP time reference (4 first bytes), Element ID (next 8 bytes), Time Zone (next 8 bytes), and Event counter (ast 4 bytes). See the packet cable specifications for more details. I understood the only way would be to write a perl module to decode those values. Before I start writing, does anyone know of any implementation of such a perl module? I would not like spending my time rewriting something that already exists. Thanks in advance for any help anyone could provide on this topic. Laurent. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decoding complex CableLabs-Event-Message
Laurent Debacker wrote: We would like to use FreeRadius to decode Cablelabs accounting messages, as specified in http://www.cablelabs.com/packetcable/downloads/specs/PKT-SP-EM-I12-05812.pdf. Why do people do that? It's ridiculous. FreeRadius has a CableLabs dictionary, which works fine, but... The value of one of the AVP, CableLabs-Event-Message, is actually an HEX value containing additional fields. Because it wouldn't make sense to send it as binary data, right? Ugh. The FreeRadius does not decode that value to get all details. For example, bytes 4 to 28 (d2d2026d30313030313030303e812333) is actually the BCID (Billing Correlation ID) field. The BCID itself contains 4 sub fields: NTP time reference (4 first bytes), Element ID (next 8 bytes), Time Zone (next 8 bytes), and Event counter (ast 4 bytes). See the packet cable specifications for more details. I understood the only way would be to write a perl module to decode those values. Or write it in C. It should only be ~100 LoC. It should go into rlm_preprocess, just like the other functions that mangle stupid vendor formats. Before I start writing, does anyone know of any implementation of such a perl module? I would not like spending my time rewriting something that already exists. If one existed, it would be included with FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Decoding complex CableLabs-Event-Message
Laurent Debacker wrote: We would like to use FreeRadius to decode Cablelabs accounting messages, as specified in http://www.cablelabs.com/packetcable/downloads/specs/PKT-SP-EM-I12-05812.pdf. After reading that spec... those guys are crazy. They invented their own format, and didn't even use sub-TLVs. It will be a LOT of work to get this done. It's not difficult work. It's just that the document specifies a lot of one off data formats. This means every single case has to be handled by writing code. If they had used a generic format, then we could have done a dictionary to attribute mapping as with normal RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about WARNING in rlm_sql_mysql
Hello all, Can somebody shed some light what the 'You probably need to lower min' means. I just installed fresh freeradius from git. All my settings are the same as in the last version but apart from the radiusd -X not working (but the radiusd -lxx -l stdout is) radius.log displays this warning about lowering number of sql connections. Can anybody give some advice?? Regards, Krzysztof - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about WARNING in rlm_sql_mysql
On Tue, Jan 31, 2012 at 4:31 PM, Krzysztof Grobelak kgrobe...@airspeed.ie wrote: Hello all, Can somebody shed some light what the 'You probably need to lower min' means. I just installed fresh freeradius from git. All my settings are the same as in the last version but apart from the radiusd -X not working Which part is not working? (but the radiusd -lxx -l stdout is) radius.log displays this warning about lowering number of sql connections. Can anybody give some advice?? git blame and git show to the rescue :) $ git show a966a18e commit a966a18e757bff638bbf725d6f9150b5026fe07d Author: Alan T. DeKok al...@freeradius.org Date: Sun Nov 6 11:02:44 2011 +0100 Print WARNING if we fall below min connections We want to close idle sessions, sessions with max lifetime or max uses. BUT we want to enforce min. The code will currently close a connection, notice num min, and spawn a new one. We warn the user that this is happening, so that they can fix their configuration. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about WARNING in rlm_sql_mysql
Krzysztof Grobelak wrote: Can somebody shed some light what the 'You probably need to lower min' means. See raddb/modules/sql in the latest git repository. The values and functionality are documented there. I just installed fresh freeradius from git. All my settings are the same as in the last version but apart from the radiusd -X not working (but the radiusd -lxx -l stdout is) radius.log displays this warning about lowering number of sql connections. Can anybody give some advice?? Try lowering the minimum number of connections? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Mixed Environment Question
The user session authenticates and receives their IP address, accounting packets start etc - all part of a normal session. but the Juniper MX logs an entry such as this: Jan 30 13:12:19 lab-mx80 jpppd: NACK received for profile request with id=3f55d50 from dcd daemon: Generic conf read error retry FALSE Jan 30 13:12:22 lab-mx80 dcd[1295]: UI_CONFIGURATION_ERROR: Process: dcd, path: [edit pp0 unit 1073741902 family inet], statement: unnumbered-address, Cannot have the same local address on the same unit of an interface And once you see that entry, it's a matter of seconds and the user session drops. While the user session is active, the internal route to their session never gets created properly on the MX neither so you can't pass traffic or anything. Take away any additional VSA's and sessions work perfectly Thanks, Paul -Original Message- From: freeradius-users-bounces+paul=paulstewart@lists.freeradius.org [mailto:freeradius-users-bounces+paul=paulstewart@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, January 31, 2012 2:32 AM To: FreeRadius users mailing list Subject: Re: Mixed Environment Question Paul Stewart wrote: I will roll a ticket with Juniper as their MX series in my testing does **not** ignore additional VSA’s – I just proved it out in our lab. What does it do? I suppose I shouldn't be surprised at the crazy things people do to break RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RES: Setting Acct-Interim-Interval for all users
Thank you Alan. -- -Mensagem original- De: freeradius-users-bounces+listas.nata=cnett.com...@lists.freeradius.org [mailto:freeradius-users- bounces+listas.nata=cnett.com...@lists.freeradius.org] Em nome de Alan DeKok Enviada em: terça-feira, 31 de janeiro de 2012 04:37 Para: FreeRadius users mailing list Assunto: Re: Setting Acct-Interim-Interval for all users Nataniel Klug wrote: Is it possible to setup this parameter as a default for all clients using my Radius? See raddb/acct_users Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about WARNING in rlm_sql_mysql
Krzysztof Grobelak wrote: I did lower it, as it recommends but i did not have to do it in previous versions and I wanted to understand what has changed in the new release. Read raddb/mods-available/sql Really. You managed to edit that file. This means you saw the comments in that file describing what changed. And thanks for handy git commands Fajar. The radiusd -X command does not start the debug. It advises to use the radiusd -lxx -l stdout command to start it. I thought that freeradius is compiled with threads usage by default. Yes, it is. But debug mode is single threaded. And if you want to use radsec, you MUST use threaded mode for debugging. The message describes what to do. If you don't use radsec, then delete raddb/sites-enabled/tls Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Joining Active Directory Domain
Hi, I am following the FreeRadius Beginners Guide book on how to join a domain. I keep on getting this error when running the command. root@FreeRadius:/etc# net ads join -U Administrator Enter Administrator's password: Using short domain name -- SQA Joined 'FREERADIUS' to realm 'SQA.net' [2012/01/31 10:21:29, 0] libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password FREERADIUS$@SQA.NET failed: Clock skew too great No DNS domain configured for freeradius. Unable to perform DNS Update. DNS update failed! root@FreeRadius:/etc# I have checked the clock, added the dns forward lookup zone to the AD Doman. Add the AD Server to the resolv.conf and etc/hosts files. I am able to ping both servers. I am attempting to join my FreeRadius domain to my 2008 Server Active Directory Domain. Thanks Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Joining Active Directory Domain
Gilmour, Scott wrote: I have checked the clock, added the dns forward lookup zone to the AD Doman. Add the AD Server to the resolv.conf and etc/hosts files. I am able to ping both servers. Weird. Try following my guide: http://deployingradius.com/ I haven't heard of any issues with it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Segmentation Fault in 2.1.12 - rlm_eap-2.1.12.so
FreeRadius has been stable for about a month, up until yesterday, and I have not changed the configuration of the server. I began seeing segmentation faults as seen below: #grep radiusd /var/log/messages Jan 30 15:53:03 radius1 kernel: radiusd[14764]: segfault at 70 ip 7fb9d4ba81ed sp 7fb9917fa490 error 4 in rlm_eap-2.1.12.so[7fb9d4ba6000+7000] Jan 31 09:09:43 radius1 kernel: radiusd[26073]: segfault at 70 ip 7fe5e2c9a1ed sp 7fe5a2bfc490 error 4 in rlm_eap-2.1.12.so[7fe5e2c98000+7000] Jan 31 09:12:33 radius1 kernel: radiusd[8743]: segfault at 70 ip 7fa6d3acc1ed sp 7fa6cd241490 error 4 in rlm_eap-2.1.12.so[7fa6d3aca000+7000] Jan 31 09:20:38 radius1 kernel: radiusd[9849]: segfault at 70 ip 7ff092a6c1ed sp 7ff08fde7490 error 4 in rlm_eap-2.1.12.so[7ff092a6a000+7000] I have not included my radiusd -X because it will need to be heavily censored and I have my fingers crossed that someone can help with only the information I've provided. Can anyone tell me how to prevent this, or if a fix is available? Thank you, Dave A. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Segmentation-Fault-in-2-1-12-rlm-eap-2-1-12-so-tp5444972p5444972.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using different realm in the same server
Hi all, I'm trying to use different realm into the same server, but I probably miss something. I just want to check my users in radcheck table as user@realm, but I can't get it working. here you are my radcheck table mysql select * from radcheck where username like 'tesths%'; ++--+++--+ | id | username | attribute | op | value| ++--+++--+ | 5 | tesths2 | Cleartext-Password | := | tesths2 | | 4 | tesths@drupalAP1 | Cleartext-Password | := | tesths | | 11 | tesths@drupalAP1 | Login-Time | := | Any1000-2000 | | 8 | tesths@drupalAP1 | Max-Daily-Session | := | 36000| | 12 | tesths@drupalAP1 | Expiration | := | 31 Mar 2012 | ++--+++--+ 5 rows in set (0.03 sec) Following the output of freeradius -X replying to my Access-Request. As you can see it search for the cleartext password for tesths@drupalAP1, but it doesn't find it: rad_recv: Access-Request packet from host 213.144.94.217 port 2060, id=64, length=322 ChilliSpot-Version = 1.2.7-svn User-Name = tesths@drupalAP1 CHAP-Challenge = 0x1d5cbf018e5c3e1f0f27db84019d6334 CHAP-Password = 0x00e56e25844efe021fe0ada407d300798d Service-Type = Login-User Acct-Session-Id = 4f2815590001 Framed-IP-Address = 10.1.0.3 NAS-Port-Type = Wireless-802.11 NAS-Port = 1 NAS-Port-Id = 0001 Calling-Station-Id = 48-5D-60-71-DC-CC Called-Station-Id = 58-6D-8F-B4-69-F7 NAS-IP-Address = 192.168.2.152 NAS-Identifier = coovaAP01 WISPr-Location-ID = isocc=,cc=,ac=,network=Coova,Coova_HotSpot01 WISPr-Location-Name = My_HotSpot WISPr-Logoff-URL = http://10.1.0.1:3660/logoff; Message-Authenticator = 0xcbdb61af05f57eb2c5ef22c62a339623 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [chap] Setting 'Auth-Type := CHAP' ++[chap] returns ok ++[mschap] returns noop ++[digest] returns noop [suffix] Looking up realm drupalAP1 for User-Name = tesths@drupalAP1 [suffix] No such realm drupalAP1 ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} - tesths@drupalAP1 [sql] sql_set_user escaped user -- 'tesths@drupalAP1' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tesths@drupalAP1' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id - SELECT id, username, attribute, value, op FROM radreply WHERE username = 'tesths@drupalAP1' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'tesths@drupalAP1' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok rlm_sqlcounter: Entering module authorize code sqlcounter_expand: 'SELECT SUM(acctsessiontime - GREATEST((1327964400 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = '%{User-Name}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime '1327964400'' [dailycounter] expand: SELECT SUM(acctsessiontime - GREATEST((1327964400 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = '%{User-Name}' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime '1327964400' - SELECT SUM(acctsessiontime - GREATEST((1327964400 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = 'tesths@drupalAP1' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime '1327964400' sqlcounter_expand: '%{sql:SELECT SUM(acctsessiontime - GREATEST((1327964400 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = 'tesths@drupalAP1' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime '1327964400'}' [dailycounter] sql_xlat [dailycounter] expand: %{User-Name} - tesths@drupalAP1 [dailycounter] sql_set_user escaped user -- 'tesths@drupalAP1' [dailycounter] expand: SELECT SUM(acctsessiontime - GREATEST((1327964400 - UNIX_TIMESTAMP(acctstarttime)), 0)) FROM radacct WHERE username = 'tesths@drupalAP1' AND UNIX_TIMESTAMP(acctstarttime) + acctsessiontime '1327964400' - SELECT SUM(acctsessiontime - GREATEST((1327964400 - UNIX_TIMESTAMP(acctstarttime)), 0))
Re: Segmentation Fault in 2.1.12 - rlm_eap-2.1.12.so
DaveA wrote: FreeRadius has been stable for about a month, up until yesterday, and I have not changed the configuration of the server. I began seeing segmentation faults as seen below: See doc/bugs for how to help debug problems. I have not included my radiusd -X because it will need to be heavily censored and I have my fingers crossed that someone can help with only the information I've provided. The -X information won't help here. Can anyone tell me how to prevent this, or if a fix is available? I haven't seen any issue with rlm_eap. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Joining Active Directory Domain
On 01/31/2012 03:32 PM, Gilmour, Scott wrote: Hi, I am following the FreeRadius Beginners Guide book on how to join a domain. I keep on getting this error when running the command. root@FreeRadius:/etc# net ads join -U Administrator Enter Administrator's password: Using short domain name -- SQA Joined 'FREERADIUS' to realm 'SQA.net' [2012/01/31 10:21:29, 0] libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password FREERADIUS$@SQA.NET failed: Clock skew too great No DNS domain configured for freeradius. Unable to perform DNS Update. DNS update failed! This is Samba being annoying. The net ads stuff cares about your hostname, i.e. $ hostname freeradius ...won't work. You can fool it by temporarily changing your domain to: $ hostname freeradius.soa.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Joining Active Directory Domain
And your system time is too far from that of the AD. Ensure you are sync'd eg with ntpdate or ntpd alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Newbie and Sqlippool
Hi, I am trying to test sqlippool on freeradius, but i've found that the documentation explains very well how to implement it, but it doesn't explain very well how I can set a user or a group to use this pool. Can someone explain me how can I do this? i've set up a pool called 'main_pool' in my database: select * from radippool; ++---+-+--+-+--+-+--+--+ | id | pool_name | FramedIPAddress | NASIPAddress | CalledStationId | CallingStationID | expiry_time | username | pool_key | ++---+-+--+-+--+-+--+--+ | 1 | main_pool | 172.16.254.1| | | | -00-00 00:00:00 | | | ++---+-+--+-+--+-+--+--+ 1 row in set (0.01 sec) and I have this user: select * from radcheck; ++--+---++---+---+ | id | UserName | Attribute | op | Value | ativo | ++--+---++---+---+ | 1 | modesto | User-Password | == | 12345 | S | ++--+---++---+---+ 1 row in set (0.00 sec) I've already tried to associate the Pool-Name attribute with this user, but it didn't work. Can someone explain me how this stuff works or send me a more detailed documentation? Thanks in advance. Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Joining Active Directory Domain
Hi, I am following the FreeRadius Beginners Guide book on how to join a domain. I keep on getting this error when running the command. root@FreeRadius:/etc# net ads join -U Administrator Enter Administrator's password: Using short domain name -- SQA Joined 'FREERADIUS' to realm 'SQA.net' [2012/01/31 10:21:29, 0] libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password FREERADIUS$@SQA.NET failed: Clock skew too great No DNS domain configured for freeradius. Unable to perform DNS Update. DNS update failed! This is Samba being annoying. The net ads stuff cares about your hostname, i.e. $ hostname freeradius ...won't work. You can fool it by temporarily changing your domain to: $ hostname freeradius.soa.net Hi, I am assuming I should edit the $ hostname freeradius.sqa.net in the /etc/hostname file? The only config file I don't have is the krbd5 config file but it ays it is not necessary in the www.deployingradius.com website. You may also have to edit the /etc/krb5.conf file, to add an entry that points to the Active Directory Server. This is often not necessary, as Samba can just figure it out when Active Directory is also the main DNS server. I am unable to installthe krdb5-kdc file using the synaptic package manager. Still getting this error: root@FreeRadius:/home/sqauser# net join -U Administrator Enter Administrator's password: Failed to join domain: failed to find DC for domain SQA.NET ADS join did not work, falling back to RPC... Unable to find a suitable server for domain SQA Unable to find a suitable server for domain SQA root@FreeRadius:/home/sqauser# Thanks for everyones feedback. I will continue to debug my issue. Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Newbie and Sqlippool
Antonio Modesto wrote: I am trying to test sqlippool on freeradius, but i've found that the documentation explains very well how to implement it, but it doesn't explain very well how I can set a user or a group to use this pool. Set: update control { Pool-Name := main_pool } That sets the pool to use. and I have this user: select * from radcheck; ++--+---++---+---+ | id | UserName | Attribute | op | Value | ativo | ++--+---++---+---+ | 1 | modesto | User-Password | == | 12345 | S | ++--+---++---+---+ That's wrong. Use Cleartext-Password := instead of User-Password == I've already tried to associate the Pool-Name attribute with this user, but it didn't work. See the FAQ for it doesn't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Verifying you are Joining the Active Directory Domain
Hi, Still can't figure out why the clock is skewed since both my Ubuntu and Active Directory server are showing the same time and Date. My Ubuntu server is an NTP Server but when I issue the command net time system I get this error Can't contact server (null). Error NT_STATUS_BAD_NETWORK_NAME It looks like it joined the domain but when I do a wbinfo -u it gives me an error message: Error looking up domain users. Plus when I go to my 2008 Server and I open up Active Directory, Select my Domain and choose Domain Controllers that my FreeRadius Server isn't listed in that directory but it is listed under computers. Is this correct? Thanks Scott root@FreeRadius:/home/sqauser# net ads join -U Administrator Enter Administrator's password: Using short domain name -- SQA Joined 'FREERADIUS' to realm 'SQA.net' [2012/01/31 15:44:15, 0] libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password FREERADIUS$@SQA.NET failed: Clock skew too great root@FreeRadius:/home/sqauser# root@FreeRadius:/home/sqauser# wbinfo -u Error looking up domain users root@FreeRadius:/home/sqauser# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Verifying you are Joining the Active Directory Domain
Gilmour, Scott wrote: Hi, Still can't figure out why the clock is skewed since both my Ubuntu and Active Directory server are showing the same time and Date. My Ubuntu server is an NTP Server but when I issue the command net time system I get this error Can't contact server (null). Error NT_STATUS_BAD_NETWORK_NAME Fix that before you go any further. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Verifying you are Joining the Active Directory Domain
On Tue, Jan 31, 2012 at 08:54:40PM +, Gilmour, Scott wrote: It looks like it joined the domain # net ads testjoin will tell you if you're joined or not - you should get Join is OK. but when I do a wbinfo -u it gives me an error message: Error looking up domain users. root@FreeRadius:/home/sqauser# root@FreeRadius:/home/sqauser# wbinfo -u Error looking up domain users If you've only just joined the domain, you likely need to restart winbindd. But get your time synchronized properly first. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Member of Group Check Else REJECT
Hi, I'm trying to check if a user coming from a particular NAS, then check in that user is also a member of a GROUP associated to that NAS, else REJECT access. Authorise section.. if(NAS-Identifier == 'OpenVPN' SQL-GROUP == 'openvpn') { update reply { Reply-Message := OpenVPN AuthCheck OK } reject } Wed Feb 1 00:37:59 2012 : Info: ++? if (NAS-Identifier == 'OpenVPN' SQL-GROUP == 'openvpn') Wed Feb 1 00:37:59 2012 : Info: ? Evaluating (NAS-Identifier == 'OpenVPN' ) - TRUE Wed Feb 1 00:37:59 2012 : Info: sql_groupcmp Wed Feb 1 00:37:59 2012 : Info: expand: %{User-Name} - nev Wed Feb 1 00:37:59 2012 : Info: sql_set_user escaped user -- 'nev' Wed Feb 1 00:37:59 2012 : Debug: rlm_sql (sql): Reserving sql socket id: 1 Wed Feb 1 00:37:59 2012 : Info: expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority - SELECT groupname FROM radusergroup WHERE username = 'nev' ORDER BY priority Wed Feb 1 00:37:59 2012 : Debug: rlm_sql (sql): Released sql socket id: 1 Wed Feb 1 00:37:59 2012 : Info: sql_groupcmp finished: User is NOT a member of group openvpn As user 'nev' is not part of group 'openvpn' but is trying to access NAS 'OpenVPN' it should Reject the login and not go any further, but it does not. I know I'm missing something, so any help would be greatly appreciated. Thx Nev - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html